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ABSTRACT. We give a random class of lattices in 
Z” whose elements can be generated together with a 
short vector in them so that, if there is a probabilistic 
polynomial time algorithm which finds a short vector in 
a random lattice with a probability of at least ł then 
there is also a probabilistic polynomial time algorithm 
which solves the following three lattice problems in ev- 
ery lattice in Z” with a probability exponentially close 
to one. (1) Find the length of a shortest nonzero vec- 
tor in an n-dimensional lattice, approximately, up to a 
polynomial factor. (2) Find the shortest nonzero vector 
in an n-dimensional lattice L where the shortest vector 
v is unique in the sense that any other vector whose 
length is at most n°||v|| is parallel to v, where c is a 
sufficiently large absolute constant. (3) Find a basis 
by, bn in the n-dimensional lattice L whose length, 
defined as max?_, ||b;||, is the smallest possible up to a 
polynomial factor. We get the following corollaries: if 
for any of the mentioned worst-case problems there is 
no polynomial time probabilistic solution then (a) there 
is a one-way function (b) for any fixed 5 > € > 0 there 
is a polynomial time computable function r(m) with 
m: < logr(m) < m**, so that the randomized subset 
sum problem: 577", aizi = b (mod r(m)), zi = 0,1 for 
i = 1,...,m, has no polynomial time probabilistic solu- 
tion, where a; i = 1,...,n and b are chosen at random 
with uniform distribution from the interval (1, r(m)]. 


Introduction. A large number of the existing tech- 
niques of cryptography include the generation of a spe- 
cific instance of a problem in NP (together with a solu- 
tion) which for some reason is thought to be difficult to 
solve. As an example we may think about factorization. 
Here a party of a cryptographic protocol is supposed to 
provide a composite number m so that the factorization 
of m is known to her but she has some serious reason 
to believe that nobody else will be able to factor m. 
The most compelling reason for such a belief would be 
a mathematical proof of the fact that the prime factors 
of m cannot be found in less then k step in some re- 
alistic model of computation, where k is a very large 
number. For the moment we do not have any proof of 
this type, neither for specific numerical values of m and 
k, nor in some asymptotic sense. In spite of the lack 
of mathematical proofs, in two cases at least, we may 
expect that a problem will be difficult to solve. One is 
the class of NP-complete problems. Here we may say 
that if there is a problem at all which is difficult to 
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solve, then an NP-complete problem will provide such 
an example. 

The other case is, if the problem is a very famous 
question (e.g. factorization), which for a long time were 
unsuccessfully attacked by the most able scientists. In 
both cases it is reasonable to expect that the problem is 
difficult to solve. Unfortunately the expression “difficult 
to solve” means difficult to solve in the worst case. If 
our task is to provide a specific instance of the problem, 
these general principles do not provide any guidance 
about how to create one. 

It has been realized a long time ago that a possible 
solution would be to find a set of randomly generated 
problems and show that if there is an algorithm which 
finds a solution of a random instance with a positive 
probability, then there is also an algorithm which solves 
one of the famous unsolved problems in the worst case. 
(It does not really matter whether this “positive prob- 


ability” is 1, e or +, because taking many instances of 


ct 
the problem and asking for a solution for each of them, 
the probability can be improved.) 

In this paper we give such a class of random prob- 
lems. In fact we give a random problem: find a short 
vector in a certain class of random lattices (whose el- 
ements can be generated together with a short vector 
in them), whose solution in the mentioned sense would 
imply the solution of a group of related “famous” prob- 
lems in the worst case. We mention here three of these 
worst-case problems: 

(P1) Find the length of a shortest nonzero vector in 
an n dimensional lattice, approximately, up to a poly- 
nomial factor. 

(P2) Find the shortest nonzero vector in an n dimen- 
sional lattice L where the shortest vector v is unique in 
the sense that any other vector whose length is at most 
n°|lv|| is parallel to v, where c is a sufficiently large ab- 
solute constant. 

(P3) Find a basis b1, ..., bn in the n-dimensional lattice 
L whose length, defined as max?_, ||b;||, is the smallest 
possible up to a polynomial factor. 

Remarks. 1. (P2) can be given in a more general 
form. If a lattice L C Z” is given, then find all sublat- 
tices L’ = V N L (by giving a basis in them), where V is 
a d-dimensional subspace of Z” so that min{d,n — d} is 
smaller than a constant and V N L has a basis v,..., vq 
so that for all w € L\V, n° max?_, ||v;|| < ||w||, where 
ca > 0 is sufficiently large with respect to d, but does 
not depend on anything else. 

2. The random problem can be also formulated as 
a linear simultaneous Diophantine approximation prob- 
lem. 

3. Although (P1) is not in NP (we are not able to 
check whether our estimate is good), still, our algorithm 
will give a one-sided certificate. Namely we may get a 
certificate which shows that there is no shorter vector 
than the lower bound in our estimate. (This certificate 


will be a basis with small length in the dual lattice.) In 
problem (P3) we get an estimate on the minimal basis 
length of the lattice. Since we get it together with a 
basis, we have a certificate for the upper bound. We 
get no certificate on the lower bound. 

4. There are problems, e.g. find the discrete loga- 
rithm of a number modulo p or decide whether a number 
is quadratic residue modulo m = pg, where it is known 
that for any fixed choice of p resp. m the worst case 
problem can be easily reduced to the average case prob- 
lem. For the choice of p resp. m however, there is no 
known method which would guarantee that we get a 
problem as hard as the worst case. 

Notation. R is the field of real numbers, Z is 
the ring of integers, R” is the Euclidean space of n- 
dimensional real vectors with the usual Euclidean norm 
\lal|. Z” is the set of vectors in R” with integer coordi- 
nates. 

Definitions. 1. If aj,...,a, are linearly inde- 
pendent vectors in an R”, then we say that the set 
{377 kiailki ..., kn are integers } is a lattice in R”. 
We will denote this lattice by L(aj,...,an). The set 
Q1,..;Gn is called a basis of the lattice. The determi- 
nant of a lattice L will be the absolute value of the de- 
terminant whose rows are the vectors ai,...,@n. sh(L) 
will be the length of a shortest nonzero vector in L, and 
bl(Z) the length of the shortest basis as defined in (P3) 

Historical remarks. The question of finding a short 
vector in a lattice was already formulated by Dirich- 
let in 1842, in the form of simultaneous Diophantine 
approximation problems. Although the lattices where 
these Diophatine problems can be formulated in terms 
of finding a short vector or estimating the length of a 
short vector, form only a special class of lattices in R” 
the random class that we will define later is an element 
of this special class. (Actually every lattice in Z” is 
an element of this class.) Moreover Dirichlet’s theorem 
about the existence of a good approximation, as we will 
see is very relevant to our topic. His theorem is actually 
an upper bound on sh(L). 

Minkowski’s theorem about convex, central sym- 
metric bodies (published in 1896) is also an estimate 
about the length of the shortest nonzero vector (with re- 
spect to a norm defined by the convex body). In the case 
of Euclidean norm, when the convex body is a sphere, 
it gives the upper bound sh(L) < cn3(det L)? where 
det L is the determinant of the lattice. This inequal- 
ity and its consequences play an important role in our 
proof. Both Dirichlet’s and Minkowski’s proofs are non- 
constructive they are based on the Pigeonhole Principle. 
Minkowski’s theory of successive minima formulates (as 
the two extreme cases) the problem of finding the length 
of a shortest vector and the length of the shortest basis 
(in the sense given in our problems). 

A.K. Lenstra, H.W. Lenstra and L. Lovász gave a 
deterministic polynomial time algorithm (the basis re- 
duction or L? algorithm) which finds a vector in each 


lattice L C R” whose length is at most 2"7*sh(L). 


C.P. Schnorr proved that the factor 277° can be re- 
placed by (1 + e)” for any fixed €e > 0. These al- 
gorithms naturally give an estimate on sh(Z) up to a 


factor of 2°F* resp. (1+ e€)”. The L algorithm was 
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used in successful attacks on different knapsack cryp- 
tosystems. (Cf. Adleman [Ad], Lagarias and Odlyzko 
[LaOd], Brickell [Br]). Lattices, where the shortest vec- 
tor is unique in a sense similar to that of (P2), play an 
important role (see [LaOd]). (The polynomial factor of 
(P2) is substituted by an exponential one.) 

The definition of the random class. The lattices 
of the random class will consist of vectors with inte- 
ger coordinates. Moreover these lattices will be defined 
modulo g (where g will be an integer depending only on 
n), in the sense that if two vectors are congruent modulo 
q then either both of them or neither of them belong to 
the lattice. Finally the lattices of the random class will 
be defined as the set of all sequences of integers of length 
m, (m will depend only on n) which are orthogonal to 
a given sequence of vectors w4,....,Un E Z” modulo 
q. More precisely if v = (u1,...,tm) where u; € Z” 
then let A(v,q) be the lattice of all sequences of inte- 
gers hi,....,4m so that 5Y- hiu; = 0 (mod q) where 
the mod g congruence of two vectors means that all of 
their coordinates are congruent. Every lattice in our 
random class will be of the form A(v,q) for some v and 
for a single fixed q (depending only on n). 

Our definition of the random class will depend on 
the choice of two absolute constant cı and cg. If n is 
given let m = [cinlogn] and q = [n‘?]. For each n 
we will give a single random variable À so that A = 
A(A,q) is a lattice with dimension m. (The existence of 
a polynomial time algorithm which finds a short vector 
in A will imply the existence of such an algorithm which 
solves the mentioned problems in every lattice L C R”.) 

First we define a simplified version à’ of A, whom 
we can define in a simpler way. The disadvantage of \/ 
is that we do not know how to generate \/ together with 
short vector in A(A’,q). Then we define à (in a some- 
what more complicated way) so that we can generate 
it together with a short vector in A(A,q) and we will 
also have that P(A # 2’) is exponentially small. This 
last inequality implies that if we prove our theorem for 
A(X’, q) then it will automatically hold for A(A, q) too. 

Let A’ = (v1,...,¥m) where vi, ..., Um are chosen in- 
dependently and with uniform distribution from the set 
of all vectors (£1, ..., 2n) where 21,...,%, are integers 
and 0 < a; < q. To find a short vector in the lat- 
tice A(A’, q) is equivalent to finding a solution for a lin- 
ear simultaneous Diophantine approximation problem. 
Dirichlet’s theorem implies that if c1 is sufficiently large 
with respect to c2 then there is always a vector shorter 
than n. 

Definition of A. We randomize the vectors 
V1, +-)Um—1 independently and with uniform distribu- 
tion on the set of all vectors (z1,...,¢2,) E€ Z”, with 
0 < x < q. Independently of this randomization 
we also randomize a Q, l-sequence ĝi, ...,óm-1 where 
the numbers 6; are chosen independently and with 
uniform distribution from {0,1}. We define vm by 
Um = —S 744" 6:v; (mod q) with the additional con- 
straint that every component of vm is an integer in the 
interval [0,g — 1]. Let A = (v1,..., um). (If we want to 
emphasize the dependence of À on n, c1, c2 then we will 
write An,cı,c2-) We prove that the distribution of À is 
exponentially close to the uniform distribution in the 
sense that Jaca |P(À = a) — |A|~+| < 27>, where A 


is the set of possible values of À. This will imply that 
the random variables A, \’ with the given distributions 
can be chosen in a way that P(A Æ 4) is exponentially 
small, 

With this definition our theorem will be formulated 
in the following way: “if there is an algorithm which 
finds a short vector in A(A,q) given À as an input, then 
etc.” That is, we allow the algorithm whose existence is 
assumed in the theorem to use 4. 

The representation of the lattice vectors. To give 
an exact formulation of our results we have to fix 
some representation of the lattice vectors in problems 
(P1),(P2),(P3). As we have seen already, the vectors in 
the random lattice A have integer coordinates, that is, 
they are in Z™. We will formulate problems (P1), (P2), 
(P3) in terms of vectors in Z” as well. (Another pos- 
sible approach would be to have lattice vectors in R” 
given by oracles. In that case it is natural (and possi- 
ble) to give the random class in terms of vectors whose 
components are random real numbers. The modulo q 
arithmetic can be substituted by arithmetic modulo 1.) 
The simplest approach is to assume that the lattices in 
Z” are presented with a basis where each coordinate of 
each vector is an integer given by a polynomial (in n) 
number of bits. However our results remain valid even 
if the numbers are longer. Naturally in this case the 
input size is not n (the dimension of the lattice) but the 
total number of bits in the presentation of the lattice, 
so our algorithm will be polynomial in this number. 

Definitions. 1. If v is a shortest nonzero vector in 
the lattice L C R”, and a > 1, we say that v is a- 
unique if for any w € L, ||w|| < a||v|| implies that v and 
w are parallel. 

2. If k is an integer then size(k) will denote 
the number of bits in the binary representation of 
k, (size(0) = 1). Ifv = (a1,...,¢,) E€ Z” then 
size(v) = $`; size(z;). Our definition implies that for 
all v € Z”, size(v) > n. 

Theorem 1. There are absolute constants c1, c2, C3 
so that the following holds. Suppose that there is a 
probabilistic polynomial time algorithm A which given 
a value of the random variable Àn,c,, c3 aS an input, with 
a probability of at least 1/2 outputs a nonzero vector of 
A(àn,c1,c2: [n®?°]) of length at most n. Then, there is a 
probabilistic algorithm B with the following properties. 
If the linearly independent vectors a1, ..., an € Z” are 
given as an input, then B, in time polynomial in og = 
X; Size(a,), gives the outputs z, u, (d1,...,d,) so that, 
with a probability of greater than 1—27°, the following 
three requirements are met: 

(1.1) ifv is a shortest nonzero vector in L(a1, ..., an) 
then z < ||v|| < nz 

(1.2) ifv is an n°?-unique shortest nonzero vector in 
L(a, ..., an) then u = v or u = ~v 

(1.3) dj,...,dp is a basis with max? ||d;|| < n°*bl(Z). 

Remarks. 1. The probability 1/2 in the assumption 
about A can be replaced by n~°. This will increase the 
running time of B by a factor of at most n° but does 
not affect the constants c,,c2 and c3. 

2. If we assume that A produces a vector of length 
at most n° for some c’ > 1 then the theorem remains 
true but ¢1,c2 and c3 will depend on c’. 
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3. In the formulation of the theorem we assumed 
that A works for each positive integer n. Our proof 
however will show that if A finds a short vector in 
A(An,e1,e2) [2°?]) only for certain values of n then there 
is a B which solves the worst-case problems for the same 
values of n. (Since the estimates of the running time of 
B are explicit we get that there is an absolute constant 
c' so that for each fixed positive integer t if A works for 
some fixed n in time nt then B also works for the same 
n in time n°*, that is the theorem has an analogue for 
single values of n. 

In asimilar way nonuniform versions of the theorem 
are also true, that is we may assume that both A and 
B are polynomial-size probabilistic circuits. 

One-way functions. We define a function f in the 
following way. For each fixed positive integer n we de- 
fine a function f = f”). Assume that m = [c1 log n] 
and q = [n°?] where cı,cz are given in the theo- 
rem. The domain of f is the set of all sequences 
V1, +++) Um—1; 61; +++) Óm—1 Where each v,, i = 1,...,n is an 
n dimensional vector (z4,...,%) € Z”, with 0 < z; < q, 
and each 6;, i = 1,...,m— 1 is either 0 or 1. Assume 
now that = (v1, ...,Um—1, 61, --.;dm-1) € domain(f). 
Let vm = — TES ô vi (mod q) with the additional con- 
straint that every component of vm is an integer in the 
interval [0,q — 1]. We define now f(z) for each z = 
(v1, ony Urs 1y O15 ees bm—1) by f(x) = (v1, e3 Um — 13 Vm). 
Assume now that y = (v,...,Um) = f(x) where z is a 
random element of domain(f). This means that y is a 
random value of the random variable An,-,,-,. There- 
fore if an algorithm is able to invert f at y, that is, the 
algorithm can find an g’ with f(z’) = y then it has also 
found a short vector in A(àn,c1,c2)- Consequently the 
theorem (and Remark 1) implies that if at least one of 
the three worst-case problems have no polynomial time 
probabilistic solutions then f is a one-way function. 

Sketch of the proof. We prove the theorem for the 
random variable à’ instead of A. The fact that their 
distribution is exponentially close to each other is not 
proved in this paper but can be found in [Ajt ]. We show 
first that there is an algorithm B so that (1.3) holds. 
By (1.3) we have an estimate H on the minimal basis 
length up to a polynomial factor. It is a consequence 
of Minkowski’s upper bound on sh(Z) that H~+ is an 
estimate (up to a polynomial factor) on sh(Z*), where 
L* is the dual lattice of L C R”. (The dual lattice 
is the lattice of all linear functionals on R” that take 
integer values on every vectors of L. Each element of 
L* is identified, in the natural way, with an element of 
the Euclidean space R”.) Therefore by estimating the 
minimal basis length of L* we get also an estimate on 
sh((L*)*) = sh(Z). 

We will construct an algorithm which produces the 
output with property (1.2) by using an algorithm which 
satisfies (1.3). In this step we will not use the assump- 
tion about our random class directly. Therefore, the 
critical part of the proof is the proof of (1.3). 

First we note that from a set of n linearly indepen- 
dent vectors r1,....7n E L we can construct in polyno- 
mial time a basis s1,..., 3, of L so that max?, ||s;|| < 


nmax?_, ||r;||. (See Lemma 1, or for a stronger ver- 
sion see Mahler-Weyl lemma [Ca]. p. 135). There- 
fore it is enough to construct a set of linearly indepen- 
dent elements of L so that each of them is shorter than 
n7 tb](L). 

Assume now that we have a lattice L C Z” and 
assume that we have a set of linearly independent ele- 
ments a1, An € L so that max?_, |la;|| = M. £M < 
n°s-1bl(L) then we have already found a basis with the 
required properties. Assume that M > n°*~*bl(L). We 
will construct another set of linearly independent ele- 
ments, 61,...,6, E L so that max”, |[b;|| < %4, Iter- 
ating this procedure we find a linearly independent set 
of elements d4,...,d/, with max”, ||d;]| < n°*-*bl(Z) in 
less than log, M < 2c steps. 

Starting from the set a4,...,@,, we construct a 
set of linearly independent elements in L, fi,- fn 
so that max”, ||fi|| < n°M and the parallelepiped 
W = P(fi,...; fn) defined by the vectors fi, ..., fn, is 
very close to a cube. Closeness will mean that the dis- 
tance of each vertex of P(f1,..., fn) from the vertices 
of a fixed cube will be at most n?M and, as a conse- 
quence the volume, the width, and the surface area of 
W will be about the same as that of a cube of similar 
size. (See Lemma 2.) This will imply that if we cover 
the space with the cells of the lattice determined by a 
short basis, then most of the cells intersecting W will be 
completely in its interior. (The number of exceptional 
cells is polynomially small compared to the total.) Asa 
consequence we get that all of the parallelepipeds u+ W 
where u is an arbitrary element of R” have about the 
same number of lattice points. The error again will be 
a polynomially small fraction of the total. These re- 
main true even if we consider all of the parallelepipeds 
u++W where q = [n°] and c3 is sufficiently large with 
respect to c2. This fact will ensure that if we pick a 
lattice point at random from a set D of almost disjoint 
parallelepipeds of type u + iW, then the distribution 
induced on D is very close to the uniform distribution. 
(We will consider two parallelepipeds almost disjoint if 
their interiors are disjoint.) We formulate these state- 
ments in Lemma 3 and Lemma 4. 

Now we cut W into q” small parallelepipeds each 
of the form (S721 $f.) + W, where 0 < ti <q, i= 
l, n is a sequence of integers. We take a random 
sequence of lattice points £1, ...,m, M = [cin log n] from 
the parallelepiped W = P( fi, ..., fn) independently and 
with (almost) uniform distribution. (For the generation 
of the random sequence see Lemma 5 and Lemma 6.) 


(G) 

Assume that & € (Y + fi) +4W. Let vj = 
a0, ash 49), We will consider the sequence v1, ..., Um as 
a value of the random variable \’. Applying algorithm A 
to the input 1,..., Un we get a rye soy Am) E Z™ 
so that with a probability of at least 1/2 its length is at 
most n and }77_, hjvj = 0 (mod g). 


If nj = TL, Ë- fi then 
u= E hjé = pas a (& -mHE = hn). 


doj=1'j2; = 0 (mod q) together with the definitions of 
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v; and n; imply that the second term ŭ = Da1 hyn; is 


in L(fi,...; fn) C L. We may get an estimate on the first 
term using that | }>7_, h?| < n? and (since £; and n; 
are in the same parallelepiped n; + iW) the inequality 
lé; — nl] < nnP Mi < n*n-*M. Therefore we get 
|lu ~ &|| < n*n-* Mn? = nê- M if c3 > 7 this implies 
that ||u — || < 4f and because of u € L,ŭ € L we have 
u—-ŭELlL. 

We prove that u—ŭ # 0 with a positive probability 
by performing the randomization of the vectors £; in 
a different way. First we randomize the sequence of 
vectors 01,...,Um. This will uniquely determine both 
the numbers hj, ..., hm and the vectors nj. Now we have 
to randomize the vectors £; — 7;. Assume that we have 
randomized them for j = 1,...,m—1, and assume that 
hm #0. The distribution of £; — n; is almost uniform 
in ŻW. Since u — ŭ — Rm(Em — Mm) = hy ( — ni) 
is already fixed, we get that with high probability u — ŭ 
is not 0. By the same argument we also get that with 
high probability u — ŭ is not in any fixed hyperplane. 
Therefore if we are getting many (say n?) independent 
values of u — ŭ then with high probability there will 
be n linearly independent among them and so we have 
constructed n linearly independent elements in L each 
of length at most M/2. 

Subset Sum Problems. If we assume that the worst- 
case lattice problems are difficult for dimension n, then 
the following randomized subset sum problem will be 
also difficult. q and m will be the same numbers as in 
the proof above. Let q1, ...,qn be distinct primes be- 
tween g and 2g, let r be their product and a1, ..., am, b 
independent random numbers modulo r. Then we con- 
sider the subset sum problem )>j", z;a; = b (mod r) 
where z; = 0,1 for i = 1,...,m. The hardness of this 
problem follows from the proof that we sketched above. 

If we cut the sides of the parallelepiped W (as de- 
fined above) into qi,..., @n—1 resp. qn parts then we get 
T = Q1*..-* Qn little parallelepipeds (instead of q” as 
in the original proof.) These parallelepipeds (or their 
vertices closest to the origin) form an Abelian group of 
order qi°...-Qn. (The operation is the addition modulo 
W, that is each vector which is in the lattice Lw whose 
basic parallelpiped is W, is congruent to 0.) If the ran- 
dom problem $7”, zia; = b (mod r) where æ; = 0, 1 for 
i=1,..., mis easily solvable then the analogue problem 
is also easily solvable in our cyclic group. The solution 
can play the role of the coefficients hi, ..., hm the same 
way as above. Actually everything remains the same if 


we pick a larger m say m = n° for some c! > 0. In 
this case c3 from the definition of g = [n°2] has to be 
sufficiently large with respect to c’. A simple calcula- 
tion shows that the number of unknowns in the subset 
sum problem that we get this way can be greater than 
any fixed power of logr, the number of bits in a single 
coefficients. Subset sum problems of this type can be 
used to construct one-way hash functions. (See, R. Im- 
pagliazzo, M. Naor, [IN].) 

Sketch of the proof continued. (1.3)—-(1.2). Let 
Lo = L* be the dual lattice of L. We show that if L 
has an n°?-unique shortest vector then Lo has an n—1- 
dimensional sublattice L’ = Lo N F where F is an n — 


1 dimensional subspace, so that the distances between 
the cosets of F intersecting Lo are at least n°bl(L’). 
We prove that it is possible to compute a basis of L’, 
and using that, a shortest vector v in L. (v will be 
orthogonal to L’.) 

Although we give a deterministic algorithm for 
finding Z’ (using the algorithm of (1.3) as a black box), 
it is easier to sketch the idea of a probabilistic one. 
Assume that we take points of Lo at random from a 
parallelepiped whose center is 0 and whose diameter is 
at most n°'bi(L'), where c' is large with respect to c. 
(An inductive argument shows that we are able to con- 
struct such a parallelepiped.) If we take enough, but 
still a polynomial number, of random points from the 
prallelepiped, then at least two of them will be in the 
same coset of L’. With high probability they will be 
distinct. Therefore taking all of the differences of the 
random lattice points we get, among them, a nonzero 
lattice vector uw, in L’ = Lo N F. The most important 
part of this proof is to show that we are able to decide 
whether a vector is an LD’, that is, we are able to select 
the vector uı from the set of differences. If this can 
be done, then by repeating this procedure many times 
we will get a sequence u1, ..., tan. The independence of 
the vectors u; implies that there will be n — 1 linearly 
independent among them. 

To decide whether u is in L’ we consider the lattice 
Lı generated by the vectors of Zo and the vector lu, 
where t > n° is a prime number. (It is easy to see that 
this is indeed a lattice.) Using (1.3) we estimate bl(Zo) 
and bl(Z1). If the estimates do not differ more than 
allowed by the error, then u is in L’. If the estimate 
decreases more than that, then u ¢ L’. This follows 
from the fact that in the case of u € L’, Lı will be 
covered by the cosets of F intersecting Lo, and so bl( L1) 
will be at least the distance of these cosets. In the case 
u ¢ L' there will be new cosets of F which intersect Lı 
but not Lo. Between two consecutive cosets intersecting 
Lo there will be t—1 intersecting only Lı. We get a short 
basis of Lı from a short basis of L' and a lattice vector 
of minimal length connecting two consecutive cosets of 
F intersecting Lı. End of sketch. 

Lemma 1. Assume that aj,...,a@, € R” are lin- 
early independent vectors, d1, ..., dp € L(a4,...,an) are 
also linearly independent and ldi || < M. Then there 
is a basis of L(a1,...,an) consisting of vectors no eet 
than nM. Moreover if a;,d; are integers for i = 1,. 

Pa the required basis can be found in time polynomial 
in Yeas ,(size(a;) + size(d;)) 

e prove the lemma by induction on n. Then = 1 
case is trivial. Suppose that our assertion holds for lat- 
tices of dimension n—1. Let F be the hyperplane gener- 
ated by dj,...,d,-1 and let I’ = L(ai,...,an) NF. I is 
an n — 1-dimensional lattice, that is, it has a basis over 
the integers, (since it is a subgroup of a free Abelian 
group). According to our inductive assumption L’ has 
a basis bı, ..., bn-1 with max?2} ||b;|| < (n —1)M. Let 
F' + F be a coset of F with L(a1, --;4n) NF! # 0 
so that the distance of F and F” is minimal. Clearly 
this distance is not greater than the distance of dn 
from F and therefore it is not greater than M. Let 
u € L(ar, an) MF’. Let a’ be the vector that we get 
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from u by projecting it orthogonally to F. By express- 
ing a’ as a linear combination of the vectors dj, ..., d,—1, 
then rounding off the coefficients to the nearest integer 
we may write a’ in the form of w+a”, where w € L’ and 
\la’”’|| < eee Idi] < (n-1)M. by,...,b,-1,u—-—wisa 
basis of L = L(aj,.. asan), since, according to the mini- 
mality of the distance of F’ from F, L(b1,...,bn-1, u-w) 
contains all cosets of LZ’ in L. Since the distance of 
F and F’ is at most M we have that jju — a'Ì} < 
M, therefore |lu — wl| < (lu — a'l? + la”)? < 
(1+ (n — 1)?)4/2M <nM implies that every element 
of this basis is of length at most nM. The inequality 
lju — wl] s (n? — 2n)! 2M < nM shows that even if we 
compute a’ only approximately with a precision greater 
than, say, zs -L M the vector u — w € L that we get from 
this appros inete value will be shorter than nM. Q.E.D. 
Q.E.D.(Lemma 1) 

Definition. 1. If }1,...,6, E R” then P(b1, ..., bn) 
will denote the parallelepiped {97 _; yibi|0 < y; < "g 

2. The minimal height (or width) of P(d1,..., bn) 
will be the minimum of the heights belonging to the 
various faces of P(by,... 

Lemma 2. Suppose ‘that Q1, +; Qn are vectors 
in R” and max?., |la;|| < M. Then there are lin- 
early independent elements bi, bn € L(a, an) so 
that max, ||b.|| < (nè + 1n)M and the volume of 
P(bi,...bn) is between i(n’ M) and 2(n3M)”, its 
surface area is at most 6n(n?M)"~! and its minimal 
height is at least 2n3M. Moreover if a1, ..., an € Z” 
then bi, ... ur can ve computed in time polynomial in 
X; size (ai). 

Proof, The assumption about the lengths of the 
basis vectors a; imply that for each vector v there is 
av’ € L(a1,...,an) so that |v — v'|| < $Mn. In- 
deed we may get such a v’ by expressing v as a lin- 
ear combination of the vectors a; with real coefficients 
end then rounding off each coefficient to the closest in- 
teger. Assume now that f:,..., fn are pairwise orthog- 
onal n-dimensional vectors with length exactly n°M. 
For each 7 = 1,...,7 let b; be a lattice vector so that 
llf — bill < 5nM. (Clearly this construction which 
only involves the solution of a linear system of equa- 
tions and rounding can be completed in polynomial 
time.) Let Q = P(fi,---, fn), Q! = P(bi, bn). The 
distance of each vertex of Q’ from the corresponding 
vertex of Q is at most gn? M. Therefore if we a 
large the cube Q from its center by a factor of 1 + + 
then it will contain Q’. Qo will denote the enlarged 
cube. In a similar way if we reduce it into a cube 
Qı by the same factor than it will be contained in Q’. 
volume(Q1) < volume(Q’) < volume(Qo) and the in- 
equalities 4 < (1 + +) and (1+ 4)” < 2 imply our 
assertion about the volume. Qı C P(b1, ..., bn) there- 
fore P(b1, ..., bn) contains a sphere of radius at least 
i(n? M(1 — 4)) > 3n°M and so the minimal height 
of P(bi,..., bn) is at T 2n?M. We get the upper 
bound on the surface arca by estimating the area of each 
face using the upper bound (n? + in)M on the lengths 


of their edge vectors. These yields the upper bound 
2n(n? + inje- 1 M”! = n(n M)”-!(1 + aa) < 
6n(n3M)"-1. Q.E.D.(Lemma 2) 

Lemma 3. Assume that L = L(a1,...,@n) is a 
lattice in R”, where |a;| < M, i = 1, ..., n and g1, -Jn 
are linearly independent vectors in R” (not necessarily 
in L) and b € R”. Let ko resp. kı be the number of 
lattice points in the closed set b + P (g1, ---, gn) resp. in 
its interior. Let H be the minimal height, let V be the 
volume and let S be the surface area of P(g1,.--, 9n))- 
Then 
(a) (det L)-1(1— e) V < k; < (det L)-*(1 + 
2Mnyoy, j=0,1 
(b) If F is a hyperplane then the number of lattice 
points in F (b+ P(g1,---19n)) is at most 25Mn(1 + 
2Mn\n—1(det L)~?. 

Proof. (a) Let W = b+ P(g1,---;9n); let W” be the 
set that we get from W by enlarging it from its cen- 
ter by a factor of 1 + 24™ and W" be the set that we 
get from it by reducing it by 1 — 24". Let B be the 
set of all parallelepipeds of the form v + P(a1, ..., an), 
where v is a lattice point and (v + P(aj,.-.)4n)) N 
is non-empty. The definitions of W’,W” imply that 
every element of B is contained in W’ and every ele- 
ment of B intersecting W” is contained in W. Therefore 
we get the upper bounds from the fact that the num- 
ber of elements of B contained in W’ can be at most 
volume(W’)/det(L). We get the lower bound on ko in 
the following way. Let D be the set of those elements 
of B that intersect W”. Clearly |D| < ko. The defini- 
tion of W” implies that the elements of D cover W” so 
|D| > volume(W”)(det L)-1. To get the lower bound 
on kı, we may repeat our argument for each e > 0 with 
W! instead of W” where we get W;’ by reducing W 
with a factor of 1 — 2@2 — e. This way the elements of 
the set D will be in the interior of W. Taking the limit 
for all of the resulting lower bounds for k; we get (a). 

(b). Let G be the set of those elements of B which 
intersect F. The definition of W’ implies that the dis- 
tance of F\W’ from FNW is at least Mn. (Any pair of 
points from them are separated by a pair of correspond- 
ing parallel faces of W and W’ whose distance is at least 
Mn.) Therefore if 7 is the orthogonal projection of R” 
to F and T € G then q(T) is in FM W’. Consequently 
each T € G is contained in the body that consist of all 
points z with mz € W’ N F whose distance from F is at 
most Mn. The volume of this body is 2area(W'NF)Mn 
and area(W’NF) is at most the surface area of W’ which 
implies our inequality.Q.E.D.(Lemma 3 ) 

Definition. If a1,...,¢, E€ R” are linearly inde- 
pendent vectors then P~(a1,..-,@n) will denote the set 
{1 Ha |0 < 75 < 1}. 

Lemma 4. Assume that L = L(aj,...,an) is a 
lattice in R”, ||a;|| < M for i = 1,...,n, bi, -bn are 
linearly independent elements of L, V is the volume, 
S is the surface area and H is the minimal height of 
P (bis. bn), q is a positive integer and the following 
inequalities hold 
(i) saa 
(ii) 5SMn<V. 
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Suppose further that € is a random variable that 
takes its values with uniform distribution on the set R 
of lattice points of P~(b1,...,5,). Then there are ran- 
dom variables ¢,n with € = Ç +n so that ¢ has uniform 
distribution on E = {3379 kibilki € {0,4,..., SF} i = 
1,...,n}, and for each fixed t € E the conditional distri- 
bution of n with the condition Ç = t meets the following 
requirements: 

(a) P(n € P- (fbi, lbn) =t) > 1- fs 
(b) for any fixed hyperplane F in R”, P(n € FC = 
t) < 1/2 

Proof. Let T be the set of all sequences t1, ..., tn so 
that t; € {0,1,...,.¢—1} and for each t = (t1,..., tn) ET 
let W: P( jb, ore : n) +E tbi. Lemma 3 gives the 
following estimate on w; the number of lattice points in 
W: 


(det L)-1(1 — Ma) V < w, < (det L)H(1 + 
Mnyny, 
1 


3n? 


Inequality (i) implies that 1 — <(1- 2Mn)\n < 
1< (1+ 24)" <1+ gp and so 
(1) (1—sAs)(det L)“1V < w: < (1+ gha)(det L)-*V. 

Let a = [(1 — 54;)(det L)~*V] and for each t € 
X let W! be an arbitrary but fixed subset of W; with 
exactly a elements. For the definition of ¢ we will use 
another random variable p which is independent of £ 
and has uniform distribution on E. Suppose that both 
£ and p has been randomized. If £ € Uer W; then there 
is a unique t = (t1,...,tn) E T with € € Wj. In this case 
let ¢ = 77, Fi. If € is outside of User W; then let 
¢ = p. Since |W;| does not depend on ¢ and €, p are 
pate aa we have that ¢ has uniform distribution 
on E. 

(a) (1) and the definition of a implies that the prob- 
ability of € € User Wi is greater than 1 — 5. In this 
case the definition of ¢ implies that if é € W; then W; = 
¢ + P( Fb, vd n) and son =E—-CE P( 5b mg n). 

(b) According to (a) it is enough to show that 
P(n € F\€ = t,€ = ¢) < i- Ay. By Lemma 3 
and inequalities (i),(ii), the number of lattice points on 
FAW! C FAW, is at most ¿V (det L). There- 
fore the definition of a = |W;| and the fact that with 
the condition € = Ç, ¢ is uniform on W; implies (b). 
Q.E.D.(Lemma 4) 

Lemma 5. Assume that a1,...,@n E R?” are lin- 
early independent. Then, for each b € R”, there is a 
unique b € P- (a1, ..-, an) so that b— b' E L(a1,..., an) 


moreover, if b € Z” and a;,€ Z”, i = 1,...,n then 
b can be computed in polynomial time in size(b) + 
S; size(a;) 


Proof. We express b as a linear combination of the 
vectors a; then take the integral part of the coefficients. 
Assume that we get the vector v = J ;—1 riai. b = b—-v 
will satisfy our requirement. The uniqueness of b is 
trivial. Q.E.D.(Lemma 5) 

Definition. Assume that aj,...,Gn,0 are as in 
lemma 5. We will denote the unique b described in 
the lemma by bmod ai,...,¢n)* 


Lemma 6. For all cı > 0 there is a cg > 0 
so that the following holds. Assume that dı,..., dn 
are linearly independent vectors in Z”, o > n and 
@1,.,0, E L = L(dy,...,d,) is a set of linearly inde- 
pendent vectors as well, with max?_, ||a;|| < 27° and 
max?_, ||d;|| < 277. Suppose further that 11, ..., fy are 
independent random variables which take their values 
with uniform distribution on the integers in the interval 
[0,27°7]. Let x = (yoy Hid) (moa arsan). Then the 
distribution of x on the points of L N P- (a1, ..., an) is 
almost uniform in the following sense: 

if for each v € P7 (a1, ..., an), Py = P(x = v) and k 
is the number of lattice points in P- (a1, ..., an), then 


veP=(a1,...0,) Po ~ ~IS 277 

Proof. We will need the following observations 
in the proof. For each real number a let W, = 
P- (adı, ...,@dn). Since dı, ..., dn is a basis of L we have 
that if a is a positive integer then the number of lattice 
points in Wa is a”. Since the volume of W; is at least 
1, (the value of a nonzero determinant with integer en- 
tries) and the area of any face of it is at most [];_, ||dil| 
we have that the minimal height H of W1 is at least 
(Tt, di)? > ae, 

Let t = [e°]. Let X’ be the set of all paral- 
lelepipeds J of the form J = u + P~ (a1, ..., an) with 
u € L and JNOW, #0. Let X be the set of all sets 
J € X' with J C W,. If we enlarge W, from its cen- 
220° t? 

tH 


ter by a factor of y = 1 + then the resulting 
set W’ will contain every element of X’. By lemma 
3 the number of lattice points in W’ — W is at most 
(det L)-H(1 + Zere — (1 ~ 2257" )n4"). If cz is 
sufficiently large with respect to cı then this is at most 
gaat tan 

Let r be the unique element of X’ containing x. 
The elements of X are disjoint, so py = ($ zex P(x = 
vjr € J)P(r € J))+ P(x € Vir ¢ UX) P(r ¢ UX). 
The distribution of x is uniform on P- (a1, ..., an) with 
the condition x € J for each fixed J € X therefore the 
first term is 1!/*!* which does not depend on v. 


The second term is at most P(r ¢ UX). This is 
smaller than the number of lattice points in J X’\ VX 
divided by ¢” that is smaller than 2~’°"*'. Since the 
number of lattice points in P~ (a1, ..., an) is at most 
volume(ay,...,d,)(det L)-! < 27°** this implies our 
statement.Q.E.D.(Lemma 6) 

Using the previous lemmata we can conclude the 
proof of the theorem in the following way. First we 
describe the algorithm. 

Using lemma 2 with a; —> u; and M —> max?_, ||u;|| 
we construct a set of linearly independent vectors 
Vises Un E Lhar., an) so that max, ||v;|| < (n? + 
in)M and for the volume V, surface area S and min- 
imal height H of P(v1, ..., Un) we have certain bounds. 
Now we take a random point of L(a1,...,an) with al- 
most uniform distribution in W = P7 (v1, ..., Un). More 
precisely lemma 6 guarantees that we can compute in 
polynomial time the value of a random variable x which 
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takes its values from R, the set of lattice points in W and 
has the property cp |P(x = v) — Hl <27", We 


may write x in the form of 77, Biv, where 0 < f; < 1. 
By solving a system of linear equations we may find the 
rational numbers f; in polynomial time. Let q = [n°] 
and ti = [gi], i = 1,....n and o = (t1,...,tn). Re- 
peating this procedure with independent values of y 
we get a sequence of values xj, oj, j = 1,...,m, where 
m = [cın logn]. Let Lı be the lattice of m dimensional 
integer vectors (h1, ..., hm) so that q| S77", hioi. Now 
we apply our probabilistic algorithm A, whose existence 
was assumed, with the lattice Lı and in polynomial time 
we either get a vector sı € Lı with ||s1|| < n or we rec- 
ognize that the algorithm failed to produce the required 
result. In this case let sı = 0 € R”. In either case 
81 = (21,...,2m) is a sequence of integers. Next we find 
the vector fi ey Xi and 91 = (f1)(mod ViyeyUn)? 
(That is gı is the unique element of P~ (v1, ..., vn) with 
fi—g1 E L(v1,..., un)). We repeat this whole procedure 
3n times and get a sequence of vectors g1, ..., gan. Let 
G be the set of those vectors g;, i = 1,...,3n which are 
nonzero and are shorter than (në + 3n)M2 < #¥. We 


try to select n linearly independent vectors from G. If 
we succeed then the set of these vectors b1, ..., bn is the 
output. If we do not succeed then we apply the algo- 
rithm given in lemma 1 with d; — u; and we get a basis 
bj, ...,b, with max?_, ||b;|| <n max”, ||u,||. In this case 
the sequence b1, ..., bn defined in this shorter alternative 
way will be the output. 

Now we prove the correctness of our algorithm. 
If for any basis dj,...,d, of L(a1,...,an) we have 
max’, ||u,|| < max%,n+1|Id,|| then the vectors 
bi, bn defined by the short alternative way using 
lemma 1 (described at the very end of the algorithm) 
satisfy the requirements of the lemma. Therefore 
we may assume in the following that there is a ba- 
sis dj,...,d, E L(a1,...,a,) so that max”, |w] > 
max? n°**|[d,I 

When we start the algorithm we have n linearly in- 
dependent vectors u1,..., Un in the lattice L(a1, ..., dn). 
We try to construct from them an other set of vectors 
whose maximal norm is smaller by a factor of two. To 
start our construction we replace u1, ..., un by an other 
set of vectors v1,...,Un which are not essentially longer 
(only by about a factor of n?) but whose prallelepiped 
P(v1, --- Un) is as close to a cube as possible. Lemma 2 
with a; — w; gives such a construction. Therefore we 
get a set of vectors v4,...,Un E L(a1,...,an) so that if 
max?_, ||u;|| = M then max’, ||v;|| < (n? + $n)M and 
if V is the volume, S is the surface area and H is the 
minimal height of P(v1,..., vn) then 3(n?3M)" < V < 
2(n3’ M)”, S < 6n(n3M)"-1 and H > 2n3M. The role 
of these inequalities will be that they guarantee that 
if we take parallelepipeds x + P(v1, ..., Un) for different 
elements x € R” then the number of lattice points in 
them will be about the same in the sense that the dif- 
ferences will be small relative to the total number of 
lattice points. Another consequence of the inequalities 
that there will be relatively few lattice points in a par- 
allelepiped of this type which lies on any single fixed 


hyperplane. These properties do not necessarily hold 
if the the parallelepiped is either small relative to the 
maximal length of any basis of the lattice, or it is very 
much distorted e.g. one of its heights is very small. Ac- 
tually we will need these properties in the case of paral- 
lelepipeds of the form Pe ly, 15%) where q = [n‘]. 
For the next step we need the following observa- 
tion. Lemma 6 gives a random variable y which has 
only an almost uniform distribution on the set R. How- 
ever in our proof we may assume that the distribu- 
tion of x is actually uniform. Indeed we know that 


Dever IP(x = 2) - TAT! < 277”, This means that there 
is a random variable x’ so that x’ has uniform distribu- 


tion and P(x # x’) < 2-" Therefore we may assume 
that we work with x’ and with high probability its value 


is the same as y. This will lead only to a 27%" failure 
rate in the algorithm. (Even if the failure rate would be 
higher we may decrease it exponentially by repeating 
the algorithm). 

Assume now that the vectors Iis 09995 has been al- 
ready constructed for some 0 < j < can and we now 
start the construction of g;41. Let Gj be a maximal 
subset of linearly independent vectors of. {91, -g } with 
the property that for all g € G we have g # 0 and 
ilgl| < (n? + 5n)M". Let F be a hyperplane in R” con- 


taining G;. We will prove that (for the randomizations 
involved i in the selection of g;41 only and considering F 


as fixed), we have 
(2) P(gj41 ¢ F and |(g,+:|| 
TP: 

First we notice that (2) implies the lemma. Indeed 
(2) and Chernoff’s inequality imply that the set G as 
defined in the algorithm will contain n elements. 

Now we prove (2). First we prove that 
(3) 


P(|lgj+1|| < (n? + n)M%) 21-7 

We apply lemma 4 with by > ve EN — vn and 
€ — x. (As we have explained above we may assume 
that x has uniform distribution on the set of lattice 
points in P- (v1, ..., Un))- According to lemma 4, x can 
be written in the form of Ç + n where ¢ is uniform on 
E and we also know something about the conditional 
distribution of 7. We claim that if we repeat this process 
and get the sequences (j,.. x+y Gms Ni, -Nm then with a 
probability of at least 1— 7%, 


< (nè + 3n)M?) > 


(4) = = C4; alm = = Om and IKAI < n?(n? + 3M)? 
for i= 1,.. m. 

Indeed, (a) of lemma 4 implies that for al i= 
1,...,m with a probability of at least 1 — $, we have 


G= = g; and the vector 7; is inside the parallelepiped 
P( F015 + 170) and so the upper bound on the vectors 
V1, -Un imply the required upper bound on n;. The 
vector z = (21,..., Zn) is no longer than n. We show that 
(4) implies that ||g;|| < (n?+ 37) M*. Indeed by (4) the 
definition of f; we have f; = ori axe = lac) — 
Dzim =X 2:03) — SD zini. We know that either z = 0 
or we get z as the output of A. In either case we have 
\|z|| < n and q| bee zigi. The latter relation and the 
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definition of o implies that Y2; 2G; € L(v1,..., vn) and 
so gj = (f;)(mod v1,...4¥0) = ~ Dini ih < (n° + jn) MB 
which completes the proof of (3). 

We continue the proof of (2) by showing that 
(5) P(g F)> i- 2m, 

As we have seen the probability of oy = Qi, e Om = 
Cm is at least 1 — 73. Therefore it is enough to show 
that if we change our algorithm so that instead of o;, 
i = 1,...,m we use Ci, 7 = 1,...,m in the definition of 
the vector h1, ..., m and so in the definition of z, fj+41 
and gj+1 then (5) holds if we change the right-hand side 
into į = %. 

We may randomize all of the random variables 
Xi Xm by first randomizing (1,...,¢m, and then 
11, -++)%m- Since the definition of the numbers h; de- 
pend only on ¢; (and not on 7;), the values ¢1,...,¢, al- 
ready determine whether algorithm A succeeds in find- 
ing a short vector. The probability (for the random- 
ization of ¢1,...,¢m only) that it does not succeed is at 
most 1/2. Therefore it is sufficient to show that for any 
possible values ¢(), ..., 40") of the sequence (1,...,¢m, if 
G = t)... Cn = t™ implies that if A finds a short 
vector then 
(6) P(gj4i € Fl =e, ..., (0M = el) > 2 - 2m, 

Assume now that ¢, = 42), Oh) = tm). for sich 
a sequence t(4),...,4(). Since A finds a short vector 
we have z £ 0. Let p be the smallest positive integer 
with zp # 0. We consider p as a random variable, it 
determined by ¢, and by the randomization included 
in A. Now we randomize 7,. (b) of Lemma 4 implies 


for any fixed r we have P(n, € F| = t@,...,¢( = 


tm), p = r) < 1/2 Since this is true for any choice of 
r, we have (6). This concludes the proof of (1.3) of the 
theorem. 

Definitions. 1. cy will denote a fixed positive 
real number so that for all n 1,2,... and for all 
lattice L in R” there exists av € L, v # 0 with 
lvl] < cmnā(det L)ž. Minkowski’s theorem about 
closed, convex, central-symmetric bodies applied to a 
sphere implies the existence of such a constant. 

2. If L is a lattice in R” then unit(Z) will denote 


the number (det ZL). 

3. Suppose that L is a lattice in R” and H is a 
k-dimensional subspace of R” so that L'’ = HOLisa 
(k-dimensional) lattice in H. The factor lattice L/L’ 
will be the lattice that we get from L by orthogonally 
projecting it onto H a (We have to prove that L/L’ 
is indeed a lattice, that i is, it has a basis consisting of 
n— k elements (over the integers). We may pick a basis 
Q1,.--,Qn for L so that aj1,...,a% is in L’ (the assumption 
that HN Lisa k-dimensional lattice implies the exis- 
tence of such a basis). If r is the orthogonal projection 
of R” onto H+ then wag41, ..., Tan will be the required 
basis of L/L’.) 

Lemma 7 . Suppose that L is a lattice in R” 
and K > 0. Then either L has a factor lattice Lı with 
unit(Z1) > K or Lı has a basis whose each vector is not 


longer than cy K vy, 13 


Proof. It is enough to prove the lemma for K = 1 
since we may replace L by $L. We prove the lemma 
by induction on n. For n = 1, unit(Z) is the length of a 
shortest vector and so cm > 1, therefore our statement 
trivially holds. 

Assume now that the lemma holds for n — 1. If 
unit(L) > 1, then our statement holds with Lı = 
L. Suppose that unit(Z) < 1, then by Minkowski’s 
theorem there is a v € L, v # 0 so that |lv|| < 
cmn! ?unit(L) <cmn!/?. Let W be the subspace or- 
thogonal to v. Let L, be the one dimensional lattice 
generated by v and Lı be the factor lattice L/L,. Ac- 
cording to the inductive assumption either L; has a fac- 
tor lattice Li with unit(Z4) > 1 or Ly has a basis B’ 


with vector lengths no longer then cm Ypo, 7!/?. In 
the former case we are done since a factor lattice of 
Lı is also a factor lattice of L. In the latter case we 
may construct a basis B of L in the following way. B 
will contain v and for each element b’ € B we take an 
element b of L so that b — b # 0 is in the one dimen- 
sional vectorspace generated by v and ||b—b'|| is minimal 
with this condition. We may pick such a b from those 
elements whose image is b under the orthogonal pro- 
jection of L onto v+. Moreover we may assume that 
[|b —b'|| < ||v||. Therefore the length of each element of 
B is at most ||v|] + em Wray it? < cm SL, i2. 

Definitions. 1. With each v € R” we associate a 
linear functional ¢, on R, defined by ¢,(u) = v- u, for 
all u € R”, where - is the inner product defined on R” 
in the usual way. 

2. Let L be a lattice in R”. We define a subset 
L* C R” in the following way: v € L* iff the functional 
$u takes integer values on every element of L. It is 
easy to see that L* is a lattice in R”. If aj,...,a, is 
basis of Z then the set of those functionals which take 
the value 1 on exactly one a; and the value 0 on all of 
the others form a basis of L*. This is called the dual 
basis of a1, ..., an. This construction also shows that 
(det L)(det L*) = 1 and so unit(L)unit(Z*) = 1. 

Lemma 8. If L is a lattice in R” then 

1 < sh(L*)bI(L) < cpn? SOP, 11/2 < en?, where 
c is an absolute constant. 

Proof of the lower bound. Assume that v € L’*, 
lloll = sh(Z*) and aj,...,a, is a basis of L with 
max?_, ||a;|| = bl(L). Since v+ is an n — 1-dimensional 
subspace, there is an a; so that a; and v are not orthog- 
onal and so a; : v # 0. By the definition of L*, a; - uv is 
an integer and therefore |a; -v| > 1 and so ||a,|||/v|| > 1 
and bl(Z)sh(Z*) > 1. 

Proof of the upper bound. For the proof we need 
the following trivial observation: the dual space of the 
factorspace (L/L’) is a subspace of L*. Indeed assume 
that u € (L/L')*. Since we defined L/L’ as a subset of 
R”, we have that u is a vector in R”, it is orthogonal 
to L’ and for each v € L/L’, u-v is an integer. Let 
w € L be arbitrary. By the definition of L/L’, w can 
be written in the form of v + v’, where v € L/L’ and 
v' is in the real vectorspace generated by L’. Therefore 
u-w=u-v+u-v! =u-v is an integer and so u € L*. 

Suppose that cy; K Dzi bl(Z). Then by 
Lemma 7 for any K’ < K, K’ > 0 there is a factor 
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lattice Li of L so that unit(Z,) > K’. Assume that the 
dimension of Lı is m < n. Since unit(Lj)unit(L1) = 1, 
we have unit(Lj) < $ and so Minkowski’s theorem 
implies that there is a nonzero vector v € L} so that 
lloll < cm grm/?. As we have seen Li C L*, there- 
fore sh(L*)bl(L) < emn! em Xy, #/?. This holds 
for any K’ < K, which implies our upper bound. 
Q.E.D.(Lemma 8) 

Proof of (1.2). First we prove that under the as- 

sumptions of the theorem there is an algorithm B, with 
the following property: 
(*) Assume that a1, ..., an € Z” and there is a basis 
91) ++) gn Of L(a1, -.., an) so that max; y ||g:|| < M and 
the distance of gn from the hyperplane F generated by 
g1, 9n—-1 is at least n°M. Then, given d4, ..., an as 
input, Bı finds a basis dı, ..., dn-1 of F N L(a1,..., an) 
in time polynomial in o = Y`;_; nsize(a;) and with a 
probability of at least 1 — 277. 

Let K = max”, |la;||. By the already proven part 
of the theorem we may assume that K < nbl(Z). If D 
is the distance of g, from D, then bl(Z) < Dae 1)M 
and so K < nD for some absolute constant c4. (We 
will assume that c is sufficiently large with respect to 
c4.) According to Lemma 1 it is enough to find n—1 lin- 
early independent elements d1, ...,d,—1 in F. We choose 
the elements d, k = 1,... n — 1 by recursion on k with 
the additional property that ||d|| < 2n°4+5 D. Assume 
that the linearly independent elements dj,...,d, E€ F, 
lldi|| < 2nK has been already selected for some 0 < 
k < n — 2 (that is, we include the {dj,...,d,} =0 
case). We may pick a basis dj,...,dx,51,...,bn—z of 
L(a1,...,4,) so that {b1,...,b,-2} C {a1,...,an}. Let 
N = n%*+4D, We consider the set Yy of all linear 
combinations ye Brdbk, where 6j, j = 1,..,.n—& 
are integers with 0 < 8, < N. The assumption that 
dı, ..., dk, b1,..., bn, 18 a basis implies that if F, is the 
vectorspace generated by dj,...,d, over R, then all of 
the elements of Yy are in different cosets of F. Clearly 
[Yn] > |N|?-* > (n%*+3D)"-*. For each u € Yn 
we have ||u|| < (n —k)N. Therefore Yy is contained 
in a sphere S with radius (n — k)N. Since the dis- 
tance between the neighboring cosets of F (which has 
nonempty intersection with L) is D we have that the 
number of cosets of F which intersects SM L is at most 
1+ 2(n—k)ND~} < 2n?+%, Since Yy > n3+¢ if we 
start to list the points of Yy in some arbitrary order, 
then we will not run out of points in the first 2n?+¢« 
steps and actually among these points there will be two 
that are in the same coset of F. Suppose that y1, ..., ys, 
s = n?+¢s are the list of these points and for some k Æ l 
Ye — yı E F. (Later we will show that we can actu- 
ally decide in polynomial time whether a v € L is also 
an element in F if size(v) is polynomial in the input.) 
We claim that d,i1 = Yk — yı meets our requirement. 
Indeed dz41 E€ F and since y, and y are in different 
cosets of F, we have dy41 ¢ Fp and so dj,..., dk, dkh41 
are linearly independent. By the definition of Yy we 
have ||d,41|| < 2(n — k)N < 2n%t5D. 

Finally we show how is it possible to decide whether 
av E€ L(a}4,...,an) is also an element of F, provided that 
size(v) < U where U is polynomial in the size of the 


input. Let t be a prime in the interval = (24, 24+). 
(We can find such a number t so that with a probability 
exponentially close to 1 it meets this requirements.) We 
may assume that U > n° and 2Y > 2nND-1. Let 
w= ly, We consider the Z-module A generated by the 
vectors a1, -., an, wW. Since tA C Z”, A, as a Z-module, 
can be generated by n elements so it is a lattice. By 
(1.1) we can give an estimate z4 on bl(A) = +bl(¢A) in 
polynomial time with an error not greater then a factor 
n°. We may get a similar estimate zz, for bl(L). We 
claim that if v € F then z,/za4 < n° and if v ¢ F then 
zp/za > n“. 

Indeed, if v € F and D is the distance of the hy- 
perlane F from gn then 
(7) D<bl(A)<D+nM 
Since D > n°M where c is sufficiently large with respect 
to c3, this implies zz/z4 < n°. 

Assume now that v ¢ F and that e.g. v and gn are 
in the same halfspace determined by the hyperplane F. 
Since gi,..., gn is a basis of L and {g1,...,gn-1} C F, 
we may write each vector iw, i = 1,...,¢ in the form 
zi + r;v where 0 < 7%; < land z; € jgn + F for some 
positive integer j. Since v E€ kg, + F for some integer 
k. The choice of U and t imply that t > k and so the 
primality of t implies that 7; > 0 for i = 1,...,¢~-1 
and trivially = 0. Since 7; is the fractional part of 
it, this implies that 7, = s/t for some integer s and 
therefore there is a j, 0 < j < t with qj = 4. Let 
zj € k'gn + F and let u be the point that we get from 
jw by orthogonally projecting it on k’g, + F. Clearly 
\|jv—ul| < 4D. Since ||g;|| < M,i=1,...,n—1, there is 
ay €k’gn+F so that |lu—y||nM. g1,..., n—-1,Jw—y are 
linearly independent vectors in A, ||jw—y|| < nM+3D, 
\|g:|| < M for i = 1,...,n—1 therefore lemma 1 implies 
that bl(A) < n?M + 2D. This together with (7) and 
t > n?“ imply that zz/za > n°. Q.E.D.(*) 

The only probabilistic step involved in this proof 
was the choice of the prime t. Even this can be avoided 
if we perform the described test for all ¢ = rre p= 
1,..,2° . If v ¢ F for at least one value of t, (when k 
is not divisible by t) the test will show this fact. 

We may conclude now the proof of (1.2). More 
precisely we prove that the following holds: under the 
assumptions of the theorem there is an algorithm B2 
with the following property: 

(**) assume that a1, ..., an E€ Z” and v € L(aj,..., an), 
v #0 and for all w € L we have that if w is not in the 
subspace generated by v then ||w|| > n° (v). 

Then given ay, ..., an as input, B2 will output a vec- 
tor õ in time polynomial in o = S~"_, size(ai) so that 
with a probability greater than 1 — 27°, @ is either v or 
—v. 

Let L* be the dual lattice of L(a1,...,an). We will 
show that L* satisfies the assumption of (*) with a suit- 
able choice of gi, ...,9n E L*. First we note that the as- 
sumption about the element v implies that if L, is the 
one dimensional lattice generated by v then 
(8) the factor lattice L/L, has no shorter nonzero 
vector than (n° — 1)||a|| 
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Let v = v1, V2,..., Un be a basis of L, let hy, ..., hn 
be the corresponding dual basis of L* and let gn = hı. 
This definition of gn implies that v gn = 1. Let F 
be the hyperplane orthogonal to v. vgn = 1 implies 
that the distance of gn from F is ||v||~?. We claim that 
FO L* = L(hz,...,2,) has a basis whose elements are 


shorter then n~°'||v||-1. Indeed, this lattice is the dual 
of L/L, therefore lemma 8 and property (8) implies our 
claim. Let g1,...,9n—1 be an arbitrary basis of F N L* 


with elements no longer than n~°'||v||-1. This way (*) 


is satisfied with M = n-°'||v||-1. Therefore using the 
algorithm whose existence was stated in (*) we are able 
to find a basis u1, ..., Un—1 for F N L* in polynomial 
time, if a1,...,a, given as an input. We may pick a un 
so that uj,...,Un is a basis of L*. Let d1, ..., dn be the 
dual basis in L. We claim that dı is v or —v. Indeed 
dı is orthogonal to wy,...,uUn,—1 therefore it is parallel 
to v. Since v is a shortest vector in L we have dı = 
kv for some integer k. k must be 1 or —1 otherwise 
L(di, ..., dn) could not contain v which completes the 
proof of the theorem. 
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